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Abstract 

The nonlocal behavior of quantum mechanics can be used to generate guaranteed fresh 
randomness from an untrusted device that consists of two nonsignalling components; since the 
generation process requires some initial fresh randomness to act as a catalyst, one also speaks 
of randomness expansion. 

Colbeck and Kent proposed the first method for generating randomness from untrusted 
devices, however, without providing a rigorous analysis. This was addressed subsequently by 
Pironio et al. [Nature 464 (2010)], who aimed at deriving a lower bound on the min-entropy of 
the data extracted from an untrusted device, based only on the observed non-local behavior of 
the device. Although that article succeeded in developing important tools towards the acquired 
goal, it failed in putting the tools together in a rigorous and correct way, and the given formal 
claim on the guaranteed amount of min-entropy needs to be revisited. 

In this paper we show how to combine the tools provided by Pironio et al., as to obtain a 
meaningful and correct lower bound on the min-entropy of the data produced by an untrusted 
device, based on the observed non-local behavior of the device. Our main result confirms the 
essence of the improperly formulated claims of Pironio et al., and puts them on solid ground. 

We also address the question of composability and show that different untrusted devices can 
be composed in an alternating manner under the assumption that they are not entangled. This 
enables for superpolynomial randomness expansion based on two untrusted yet unentangled 
devices. 

1 Introduction 

Background. One of the counter-intuitive features of quantum mechanics is its non-locality: 
measuring possibly far apart quantum systems in randomly selected bases (chosen out of some 
given class) may lead to correlations that are impossible to obtain classically. Anticipated by 
Einstein, Rosen and Podolsky [EPR35], it was John Bell [Bel64] who put this property on firm 
ground by proposing an inequality that is satisfied by any classical correlation, but is violated 
when the correlation is obtained from measuring entangled quantum states. Such inequalities are 
called Bell inequalities. 

An important example of such a Bell inequality was proposed by Clauser Horne, Shimony 
and Holt [CHSH69] and states that if X and Y are independent uniformly distributed bits, and 
if the bit A is obtained by "processing" X without knowing 1", and the bit B is obtained by 
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"processing" Y without knowing X, then the probabihty that A(B B = X AY is at most 75%. This 
bound on the probabihty holds if the processing is done classicahy with shared randomness, but 
can be violated when the processing involves measuring an entangled quantum state; in this latter 
case, a probability of roughly 85% can be achieved. 

Violating a Bell inequality necessarily means that there must be some amount of fresh random- 
ness in the outputs A and B (given the inputs X and Y). More formally, consider an untrusted 
device 2), prepared by an adversarial manufacturer Eve. The device consists of two components, 
set up by Eve, which on respective inputs X and Y produce respective outputs A and B without 
communicating. No matter how the two components work, as long as a given Bell inequality is 
violated during n sequential interactions with 2) (which can be observed by doing statistics), there 
must be a certain amount of uncertainty in the n output pairs (Ai,Bi), . . . , (A„,i?„), even given 
the n input pairs (Xi, Yi), . . . , (X„, y„), and thus it should be possible to apply a randomness 
extractor to obtain nearly-random bits. 

This kind of randomness expansion from untrusted devices was first suggested by Colbeck [Col09] 
and Colbeck and Kent [CKll], who presented a scheme that uses GHZ states and reaches a linear 
expansion, however, without providing a rigorous security analysis. The main point missing in 
these works is a method to rigorously bound the min-entropy of a device's output. The work of 
Pironio et al. [PAM^IO] addresses this issue, and they propose a technique to numerically compute 
a lower bound on the min-entropy of the output pair AB (conditioned on X and Y) as a function 
of the Bell value of the device S) (which quantifies the violation of Bell inequality) . For the special 
case of CHSH, they also show an analytical bound. 

The authors of [PAM"'"10] also consider the case of n sequential interactions with 3D, and they 
show how to estimate the average Bell value of over the n rounds by doing statistics over the 
observed data. This is non-trivial because the Bell value of 2) may change over the different rounds, 
and, for each round, it may depend on the behavior of the previous rounds. In other words, the Bell 
value of S) during round i + 1 depends on the history {Ai, Bi, Xi,Yi), . . . , [Ai, Bi,Xi,Yi). Combin- 
ing things, Pironio et al. then claim to have a bound on the min-entropy of (^i, Bi), . . . , {An, Bn), 
conditioned on (Xi, Yi ),..., (X„, 1^), as a function of the observed data, i.e., as a function of 
{Al, Bi, Xi,Yi), . . . , {An, Bn, Xn,Yn). However, such a statement does not make sense, since the 
considered min-entropy is a value determined by the experiment description (which specifies the 
probability distribution), whereas the claimed bound depends on the specific outcome of the ex- 
periment.^ Furthermore, not only is the claim improperly formulated, but there is also a flaw in 
its derivation, which is without an obvious fix. Thus, even though the necessary tools are pro- 
vided in [PAM+IO], they are not put together in the right rigorous way to be able to control the 
min-entropy of {Ai,Bi), . . . , {An, Bn) produced by an untrusted device D. 

Our Result. In this paper, we make up for this shortfall in [PAM^IO]. Specifically, we show 
how to rigorously and correctly put together the tools provided in [PAM"''10] in order to obtain 
a meaninful (and correct) bound on the min-entropy of {Ai, Bi), . . . , {An, Bn), conditioned on 
{Xi,Yi), . . . , {Xn,Yn), by means of the observed data. The trick is to consider and bound the 
min-entropy conditioned on the event that the estimator for the average Bell value lies in some 
interval. This gives us some control over the average Bell value of the device, but, as we show, still 
leaves enough uncertainty in the data to get a good bound on its min-entropy. 

^This is like saying that the min-entropy of throwing a fair die is lower bounded by the result of the throw: the 
former equals log(6) ~ 2.6, whereas the latter is a random number in {1, . . . , 6}. Trying to bound the min-entropy 
conditioned on the observed outcome makes no sense either, because this conditional min-entropy obviously vanishes. 
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We also address the question of the composabihty of untrusted devices, and we show that 
under the assumption that different devices are not entangled, the output of one device, after 
privacy amplification, can be used as input for a second device, and the resulting output of the 
second device, after privacy amplification, can again be fed into the first device, etc. Using an 
extractor with a short seed for doing the privacy amplification, this allows for a superpolynomial 
randomness-expansion scheme using two untrusted (but guaranteed-to-be unentangled) devices. 

Concurrent and Related Work. In concurrent and independent work, Vazirani and Vidick [VVll] 
as well as Pironio and Massar [PMlla] came up with results that are overlapping with ours. We 
briefly discuss here the similarities and the differences between our results and those of Vazirani 
and Vidick and of Pironio and Massar. We encourage the reader to also look at the comparisons 
given in [VVll, PMlla]. 

Vazirani and Vidick obtain a randomness-expansion scheme with superpolynomial expansion 
and security against quantum side information. We do not achieve security against quantum 
side information, and our superpolynomial randomness-expansion scheme requires two unentangled 
devices in an iterative way, whereas their scheme works with just one single device. On the other 
hand, their result is tailored to CHSH and requires an almost full violation of Bell inequality, while 
our result is generic and holds for any Bell inequality, and we show that any violation leads to some 
amount of fresh randomness. 

Pironio and Massar's results on the other hand are very similar to ours, and only differ in some 
minor details.^ 

In a very recent preprint, Barrett, Colbeck and Kent point out the possibility of Trojan-horse 
attacks on device-independent randomness-expansion protocols [BCK12, Appendix]. It seems im- 
possible to prevent that Eve programs devices (that are used multiple times) to release in later 
rounds information about previous outputs. We note that although such an attack seems unavoid- 
able, in a single activation of our randomness-expansion scheme (see [FGSll, Section 5] for details), 
we can re-use the same devices over and over again and still prevent such a Trojan-horse attack by 
only releasing the output of the very last round (and aborting if things go wrong before the last 
round is reached). 

2 Preliminaries 

We assume the reader is familiar with quantum information processing, and we merely fix our 
notation and some basic concepts in this section. Throughout the paper, all logarithms are base 2. 

2.1 Quantum States 

The state of a quantum system A is given by a density matrix p_A, i.e., a positive-semidefinite 
trace-1 matrix acting on some Hilbert space Tij^. We denote the set of all such matrices, acting on 
Ti_A, by D{HX)- The state space of the joint quantum systems AB, which consist of two (or more) 
subsystems A and B , is given by the tensor product Hab = T'^A ® T~^B- If the state of the joint 
system is given by PAB^ then the state of the sub-system A when considered as a "stand alone" 
system is given by the reduced density matrix = trg(p_4g) G D{J-ij{), obtained by tracing out 
system B. 

^As a historical note, previous versions of their [PMllb] and our paper [FGSll] claimed security against quantum 
side information, but both proofs were incorrect. 
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A random variable X over a finite set X with probability distribution Px can be represented by 
means of the density matrix as px = Ylix-^x{x)\x){x\ G D{7ix), where {|x)}a;gx forms a basis of 
Hx = C'^l. Thus, we may view X as a quantum system, and we say that its state, px, is classical. 
If the state of a quantum system £ depends on the random variable X, in that the state of £ is 
given by pf £ D{Hs) if X = j;, then we can view the pair X£ as a bi-partite quantum system 
in state pxE = Ylix-^x{x)\x){x\ (S" /5| G D{l-Lx ® T~{-£)- This naturally extends to multiple random 
variables and quantum systems. 

The distance between two states pe, pe G D{%g) is measured by their trace distance \ \\p£ — Pe\\i, 
where || • ||i is the Li norm.^ In case of classical states px and px, corresponding to distributions 
Px and Px, the trace distance coincides with the statistical distance ^ \Px{x) — Px{x)\. 

2.2 Closeness to Uniform, Min-Entropy, and Extractors 

In the following definitions, we consider a bi-partite system X£ with classical X, given by pxe- X 
is said to be random and independent of £ if pxs = Pu ® P£, where pu is the fully mixed state on 
T-Lx (i-e., U is classical and, as random variable, uniformly distributed). 

Definition 2.1. The distance to uniform of X given £ is d{X \ £) := ^\\px£ — Pu ® Ps\\i- 

If i7 is some event, determined by the random variable X, then d{X \ £,Vl) is naturally defined 
by means of replacing the distribution Px by Px\q,- The same applies to the next two definitions. 

Definition 2.2. The guessing probability of X given £ is 

Guess(X I <S) := sup ^ Px(x)tr(M^ pf), 

where the supremum is over all POVMs {Mx}x on %£. 

Definition 2.3. The min-entropy of X given £ is given by H„^[^{X \ £) := — logGuess(X | £). 

This definition was shown in [KRS09] to coincide with the definition originally introduced by 
Renner [Ren05] which also coincides with the classical definition of conditional min-entropy, in the 
case where £ is classical. 

Definition 2.4. A function Ext : {0, 1}" x {0, l}'^ {0, 1}^ is a {k,£ext)-sticong extractor, if for 
any bipartite quantum system X£ with classical X and with H^amiX \ £) > k, and for a uniform 
and independent seed Y, we have d[Ext{X,Y) | Y£) < Sext ■ 

Note that we find "extractor against quantum adversaries" a too cumbersome terminology; thus 
we just call Ext a (strong) extractor, even though it is a stronger notion than the standard notion 
of a (strong) extractor. 

2.3 Bell-Inequality and CHSH 

For given finite sets A,B,X,Y, consider a conditional probability distribution Pab\xyi specified 
as follows. There exists G D{7ij,®'HB) for an arbitrary (finite) dimensional two-partite 
quantum system AB, and families of measurements {-/Vf°} and {Ny}, indexed by x G X and y G Y, 
acting on A and B, and with measurement outcomes a G A and 6 GB, respectively such that 
PAB\XY{a, b\x,y)= tr ((M^ ® N^) pj^e (M^ ® iV^)t) for ah (a, 6, x, y) G A x B x X x Y. 

^Defined by ||^||i := tv{\/ A) , where A'^ denotes the Hermitian transpose. 
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Definition 2.5 (Bell Value). For any set C = {cabxy} of Bell coefficients, the Bell value of Pj^q\xy 
( with respect to C) is defined as 

I{PaB\Xy) = X] '^abxyPAB\XY{a;b \ X,y) 
abxy 

Pab\xy is called classical (or local) if there exist (conditional) probability distributions Pr, 
Pa\xr and Pb\yr such that PAB\XY{a,b \ x,y) = Er -PR(^)-fA|Xij(a | x,r)PB\YR{b \ y,r) for all 
a, b, X, y; this is equivalent to requiring that Pab\xy can be specified by means of a separable state 
PAB- We let Iq denote the maximal Bell value achievable (for a given set of Bell coefficients) with 
a classical Pab\xy- We speak of a violation of Bell inequality if there exists a quantum system 
resulting in conditional probability distribution with a Bell value greater than Iq. 

For instance, for so-called CHSH Bell coefficients [CHSH69], given by c^bxy = (-1)^?^(-1)'^®'' 
for a, b,x,y ^ {0, 1}, it is known that Iq = 2, but / = 2\/2 is possible for a quantum system. 

3 Fresh Randomness from Untrusted Devices 

In this section, we recall (some of) the findings of [PAM+10], and also discuss and fix some subtle 
issue that got neglected there. Throughout this and the upcoming sections, we consider fixed finite 
sets A, B, X, Y, and a fixed set C = {cabxy} of Bell coefficients. The reader may think of CHSH, but 
our results hold generally. 

3.1 A Single Interaction 

We consider an untrusted device prepared by an adversary Eve. As discussed in the introduction, 
2) consists of two components,"^ which, on respective inputs x G X and y E Y, produce respective 
outputs a £ A and 6 € IB without communicating. Formally, 2)'s behavior is given by an unknown 
conditional probability distribution Pab\xYj which is specified by an unknown quantum state p_Ai3 £ 
D{T-La®'Hb) of unknown dimension, and unknown families of measurements {M^} and {Ny}, acting 
on the respective systems A and B. We are interested in the guaranteed amount of uncertainty in 
A and B (conditioned on X and Y), under the promise that Pab\xy has some given Bell value, 
greater than Iq. This motivates the following definition. 

Definition 3.1. For a given set of Bell coefficients, we define ho to be the function 

ho(/) = inf min Hmin(^^ \ X = x,Y = y) 

{Mg},{]v6} ye-a 

where the outer infimum is over all finite dimensional Hilbert spaces Ha and Hq, all states pAB S 
D{'Ha^'Hb), o,nd all families of measurements {M^} and {Ny} such that the resulting conditional 
probability distribution Pab\xy{(^, b\ x,y) = tr(M^ (g) My pab -^"^ ® ^y^) has Bell value at least I. 
Also, we define h to be the convex closure o/ ho, i.e., the maximal convex function that does not 
exceed ho.^ 

rnonio et al. [PAM+10] show that by means of a hierarchy of semi-definite programs (SDPs) 
[NPA07, NPA08], ho(/) can be numerically computed up to arbitrary precision (by means of a pos- 
sibly expensive computation). They also show an analytical lower bound of 1 — log(l + ^^2 — /^/4) 

^The results derived here apply also to devices with three or more components, including the three- component 
devices used by [CKll]. 

^Formally, h(/) = max/(/) where the maximum is over all convex functions / which are upper bounded by ho. 
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for ho(/) in the case of CHSH, which reaches 1 for / = /max = 2\/2 (whereas the numerical cal- 
culation gives ho(2-v/2) « 1-23), and monotonically decreases to as / goes down to /q = 2; see 
Figure 2 in [PAM^IO]. Since this lower bound is convex, it is also a lower bound on h;^ we will 
need this later on. For now, we can conclude that if an unknown bipartite quantum system (with 
fixed measurements {M^} and {Ny}) is promised to have a CHSH value of / = 2^/2, then the joint 
min-entropy in the measurement outcomes A and B is lower bounded by approximately 1.23 bits 
(respectively 1 bit, if one wants to rely on the analytical bound). 



3.2 Sequential Repetitions 

In order to get more uncertainty, and in order to be able to estimate the Bell value, we consider a 
sequential repetition of extracting uncertainty from an untrusted device 2) as above. Informally, 
rather than interacting with 2) once (i.e., inputting {x,y) G Xx Y and observing {a,b) G AxB), is 
interacted with n times in sequence, by inputting {xi,yi) G X x Y and observing (ai, 6i) G A x B, 
inputting {x2,y2) G X x Y and observing (02,62) G A x B, etc. This procedure is formalized as 
follows. 



Modeling. We consider an arbitrary but fixed bipartite state p_aq G D{J-Lj0Hb) of an arbitrary 
finite-dimensional bipartite quantum system AB, and a sequence of n arbitrary but fixed pairs of 
families of measurements {{M^l), {N^D), • • • , {{M^^}, {N^yZ)). 



For each pair, {M^j} is a family of measurements, indexed by Xj G X, acting on A, with 
measurement outcomes aj G A, and similar for {Ny-^}. We allow the two components of the 
device to communicate between the rounds; this is captured by a sequence U2, ■ ■ ■ ,Un of unitary 
transformations acting on Tij^ <^ Tie, where Uj is applied to the (collapsed) state before the jth 
interaction. For j G {1, . . . , n}, denote with the concatenation of the first j rounds = ai • • • aj 
and the same for b,x and y. Let A^ , , be the corresponding random variables. To ease 

notation, we use bold letters as shortcuts for the concatenation of all n rounds, e.g. a = a", A = A^, 
etc. 

Formally, the conditional probability distribution Pab\xy is defined as 

n 

PAB\XY{a,b \x,y) = Y[PAjBj\x,Yjmst,iaj,bj \ Xj,yj,histj) 

where Histj = {A^-\ B^-\ X^-\Yi-^) and histj = {a^'\V-\ x^-^ ,y^-^), and 

PA,B,\x,Y,Hist,{aj,bj I Xj,yj, histj) = tr((M"; (E> Ny'.) pyi^Q\Hist,=hist, {Mx- «)iVyj)^) 



where PAB\mst,=hist, is inductively defined for j = 1, . . . , n as follows. PAB\Hist^=hist^ = PAB, and, 
for 1 < j < n, 



_ ^. (Mg eg iV^) PAB\mst,=h^st, (Mg A^)t 
PAB\Histi+i=histi+i — '^i+l D r I. \ I, ■ J- \ 7+1 

' ' PA,Bj\XjYjHistj{aj,bj \ Xj,yj,htstj) ^+ 

is the state obtained by applying C/j+i to the state to which PAB\Histj=histj collapses when A and 

B are measured by {MxJ} and {Ny^.}, respectively, and aj and bj are observed. 

What is important to realize is that before every round j, the situation is exactly as in the 
previous Section 3.1, with a fixed state PAB\Histj=histj and fixed measurements {M^J} and {Ny^} 
in the device D, and thus PAjBj\XjYjHistj{'i 'K ') histj) here behaves as Pab\xy does in Section 3.1. 



"Actually, the numerical computations for CHSH suggest that h = ho; we do not know if this holds generally. 
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We would like to point out that there is no need to make {M"J} (and the same for {Ny^.}) 
dependent on previous in- and outputs, i.e., on histj using the above notation, because we may 
assume that the measurement {M^J } encodes xj and aj into the post-measurement state of A, 
and that the subsequent unitary Uj-^-i copies this (classical) information into the state of B. The 
subsequent measurements can then be control measurements, which performs a measurement de- 
pending on the history. Similarly, we may assume the {M^^j's to be identical for different j's (and 
the same for {Nyj}'s), since the quantum system A may maintain a counter that is increased by 
every unitary Uj, and {M^j} can then be chosen as a control measurement that is controlled by 
the counter.^ 

Given the conditional probability distribution Pab\xy ^ specified above, which describes the 
input-output behavior of the n sequential interactions with the device 2), once a distribution PxY 
is decided upon, which specifies how the inputs xj and yj are chosen in each round, the joint 
probability distribution Pabxy is determined as Pabxy = PxyPab\xy- 

Estimating the Bell value. Once the device 35 is given, i.e. the state PAB^ the measurements 
{{MSl},{Nll}), i{MS:},{Nl;:}) and the unitaries U2,...,Un are fixed, Pa^b^\x,y^ and thus 
the Bell value of the first round of interaction, Ii = I{PaiBi\XiYi)7 is determined. For the other 
rounds, this is slightly more subtle. The reason is that the state PAB\Hist2=hist2 before the second 
round, and thus the probability distribution PA2B2\X2Y2,Hist2=hist2^ depends on what happened in 
the first round, i.e., depends on hist2 = (ai, 61, xi, yi). Thus, the Bell value of the second round, 
I2 = I{PA2B2\X2Y2,Hist2=hist2)i is a function of hist2. Similarly, the Bell value of the j-th round, 
Ij = I{PA,B,\x,Yj,Histj=hist,), is a function of histj. We let 

1 " 

be the average Bell value, averaged over the n rounds, and we write I = I{a,b,x,y) to make its 
dependency on the a, b etc. explicit.® 

ru'omo et al. show in [PAM+10] that the average Bell value / can be estimated by analyzing 
the data collected over the n rounds. Specifically, defining 

/ = Ha, b,.,y)='-±^ c... /("^="'^^^=^;-^=-'^^=^) (2) 

PxY[x,y) 

j=l abxy 

where x(e) is the indicator of the event e (that is, x(e) = 1 if the event e occurs and otherwise), 
the following holds. 

Proposition 3.2 ([PAM'''10]). For I and I as above, for arbitrary but iid {X,Y), meaning that 
PxY = Y\j PxjYj with Px^Yj = PxY for all j, and for any e > 0; 



P 



/(A, B, X, Y) < /(A, B, X,Y)-£ 



< exp 



2f Cmax I T 



where /max is the maximal value of I achievable by means of a quantum system, and 
va:m.x^yPxY{x,y) and Cmax = m.ax.{cabxy} ■ 



^These observations on the independence of the measurements on the history and the round are not crucial for 
our proofs; they merely simplify the notation. 

^Actually, it only depends on (a"-\ t/"-^). 



7 



Thus, except with small probability, the estimated value / for the average Bell value is not 
much smaller than the real average Bell value /. For a fixed choice of Bell coefficients C = {cabxy}, 
which uniquely determines /max, we write cfpmin) = ^(fr^ + -^max)"^, so that the probability in 
Proposition 3.2 can be written as 2"^^^^™'"^^ 

We stress that for Proposition 3.2 to hold, it is crucial that X and Y are chosen independently 
of the internal state of 2); this is implicit in the statement of Proposition 3.2 by having modeled 
the internal state of 2) to be fixed and independent of X and Y: pxYAB = PXY ® PAB- 
Obviously, if knows X and Y in advance, then it can easily pretend to have a large Bell value 
while, for instance, being classical. 

Bounding the min-entropy. It remains to argue that if / is non trivial, i.e. sufficiently greater 
than Jo, which can be learned by observing / (except with small probability), then the pair (A, B) 
contains a linear (in n) amount of min-entropy. To this end, Pironio et al. show (see equation (A. 5) 
in [PAM+10]) that 

PAB\XY{a, b\x,y)< 2-«M/(a,M,?/)) (3) 

for all a, b, x, y. In the derivation, they use the fact that h is convex. From (3), they conclude (see 
equation (A. 9) in [PAM+10]) that IImin(AS \ X = x,Y = y) > n ■ h(7) and thus > n • h(/ - e) 
except with small probability. However, this conclusion does not seem correct. What follows from 
(3) is that 

H„in(AS I X = x,Y = y)>n-Hl{a':,b^,x,y)) (4) 

for the values a" and 6" that minimize the right-hand side of (4); but then, the right-hand side 
of (4) is likely to be smaller than n ■ h{I{a,b,x,y)) or n ■ h{I{a,b,x,y)) for the values a and b 
actually observed.^ 

For the remainder of this section, we propose and discuss a possible way to get a meaningful and 
useful statement on the min-entropy of (A, B) in terms of h(/), and thus of h(/) except with small 
probability. We partition the interval [Io,Imax] C M, ranging from the trivial — meaning classical — 
Bell value /q to the maximal value /max, into m disjoint blocks: [/qj /max] = U . . . U ^m-i, where 
Q£ is of the form = [Ji, J^+i), with the exception that ^m-i = [Jm-i, Ima.x\, for some boundary 
points Iq = Jo 1^ Ji 1^ ■ ■ ■ 1^ Jm-i < /max- The value of m S N and the (possibly different) sizes of 
the fi^'s are arbitrary but fixed. 

For any parameter e > 0, given the random variables A, B, X, Y, describing the n interactions 
with the device 3D, we can now define the random variable to be the unique random variable 
that satisfies /(A, B, X, Y) — e £ (with natural adjustments outside of the range [Iq, Imax])-^^ 

Theorem 3.3. Let {X,Y) be iid. Then, for any e, 5 > there exists a "good" event Q with 
P[g] > 1 - m • 2-*^" - 3 • 2-^(P--)^'", and such that 

Guess(AS I X = x,Y = y,Le = ^,Q) < 2-"-hW+^"+i 

and thus 

Hmin(AB I X = x,Y = y,Le = £,g) > n ■ h{Ji) - 6n - 1 

for all X eX"-, y e Y" and i e {0, . . . ,m - 1} with PxYL^\g{x,yA) > 0. 

''When approached with this issue, the authors of [PAM+ 10] confirmed that their formulation is improper, and they 
mentioned that they have been aware of it and know how to solve it. In particular, their independent work [PMlla] 
fixes this issue in a similar manner as we do here. 

^'^The definition of Le simply captures that if I is too close to the lower end of an interval, then we take the next 
lower interval to be on the safe side. 



8 



We would like to point out that for the bound on P[G] to hold, it is crucial that pj^Q is 
independent of {X,Y) (and the (Xj,li)'s are iid): clearly, the device can fool you if it knows 
the inputs it will get in advance. However, for the event Q as defined in the proof below, the 
bound on the guessing probability holds irrespectively of the distribution of X and Y . Indeed, 
the value of Guess(AS | X = x,Y = y^Lg, = £,Q) is determined by the conditional probability 
distribution Pab\xy{'^ '\^iy) alone (which is determined by p^g, the family of measurements and 
the unitaries); this holds because as well as Q (this, we will see below) are uniquely determined 
by A, B, X and Y. 

Proof. Let iS^"*^^" be the bad event I{A,B,X,Y) < i{A,B,X,Y) - e that the estimated Bell 
value / is significantly larger than the average Bell value /, and let ^suess |-,g complement (which 
we understand as a good event); by Proposition 3.2, we know that P[B^"^^s] < 2~'^(*'™)^ We 
define B\ to be the set of all "bad inputs" {x,y) with the property that 

it is straightforward to show that P[{X, Y") G Hi] < 2 • 2~"^(^''nin)^^". Finally, we define B2 to be the 
set of all {x,y,£) with the property that 

PL,\XYg.uess{e\x,y)<2-^^. 

It follows from the definition of B2 that P[{X,Y,Le) e 62 1 ^^"^'1 < m ■ 2"''". We slightly abuse 
notation and identify the set B\ with the bad event {X,Y) G Bi and we write Q\ for its com- 
plementary good event, and correspondingly for B2 and Q2- We now define the good event Q as 
Q := g^^'^^^ l\Q\ l\Q2- Using union bound over the bad events, it is not too hard to show that 
P\Q\ > 1 - m • 2"''" - 3 • 2-'=(P--)'^'". 

It remains to argue the bound on the min-entropy. Let a,b,x,y be such that I{a,b,x,y) > 
I {a, b, X, y) — e, i.e., they have positive probability conditioned on the good event ^suess Pm-ther- 
morc, let I be the unique value with I{a,b,x,y) — e £ Qe. If (x,y) Bi, then P[Q^^^^^\X = 
x,Y = y] > ^ and hence, conditioning on the event ^suess ^^^^ increase the probabilities by at most 
a factor of 2. For those {x, y) ^i, it then follows from (3) that 

PAB\XY,g^----{a,b\ x,y)<2- 2-"-MAa,b,a=,j/)) < 2 . 2-"-h(Aa,M,j/)-£) < 2 . 2-"-M-^^) . 
If additionally we have {x,y,£) ^ B2, then 

PABlXYL^gs'^o-- [a, b\x,y,£}< — <2 -2 ^ ■ 2 . 

-n:^|x-rgg"===l« I y) 

Note that additionally conditioning on Qi and 02 does not change the above conditional prob- 
ability distribution if {x,y) Bi and {x,y,i) B2- Thus, the same bound also applies to 
PAB\XYLe,g{(^^b I x,y,£), for all a,b,x,y and £ with PABXYLe\gio.^b,x,y,£) > 0. By defini- 
tion of the guessing probability and the min-entropy, this proves the claim. □ 

A specific example. Consider CHSH, so that the Bell value of a given device is expected to 
be in the range from Iq = 2 to /max = 2\/2 ^ 2.828. Let us divide this range into Jq = Iq < Ji = 
2.2 < J2 = 2.4 < J3 = 2.6 < /max, and let us take a g-biased input distribution PxY = Ylj PxjYj 
with PxjyMO) = l-3q and Px.yAx.v) = q for all (x,y) G {0, \ {(0,0)}, where < g < 1/4 
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is some parameter. Finally, let us fix some small parameters e,5 > 0; for concreteness, say that 
e = 0.05 and S = 0.01. 

Consider now n sequential interactions with an untrusted device , where in each round xj and 
yj are chosen (according to PxjYj) and input into 2D, and aj and bj are obtained as output from H). 
Let us say that from the collected data, we get I{a, b, x, y) = 2.7 G Vt^ as estimation for the average 
Bell value. By Theorem 3.3, he have that given x and y and = 3, the min-entropy of a and h is 
at least n • (h(2.6) -5)-l^n- (0.36 - (5) > n/3 bits, except with probability 4 • 2-"^" + 3 • 2-^(9)<^'".ii 
Thus, when applying a suitable randomness extractor to a,&, we can extract, say, n/4 bits that 
are exponentially close to uniformly distributed (given x and y and = 3). 

In order to sample the inputs according to the biased input distribution PxY, as suggested 
in [PAM"'"10], it is known to be sufficient (in average) to have access to n • 0{q\og{\/ q)) random 
bits [KY76]. Since, q\og{l/q) converges to for g — )• 0, if q is chosen to be a small enough constant, 
then, say, n/4 random bits are sufficient. Thus, by starting off with n/4 random bits,^^ we obtained 
another n/4 almost-random bits and thus hold now n/2 random bits. Thus, we have expanded the 
randomness by a factor 2. Choosing q = 0(l/\/n), one obtains an expansion factor 0(-y/n/ log n) 
while still being negligibly close to perfect randomness (since c(l/-\/n) = ^{1/ ^/n)). 

Having generated fresh randomness from an untrusted device , one is now tempted to use the 
newly obtained randomness to generate even more fresh randomness from the device 55, and so on. 
This does not work. The reason is that the generated randomness is not random to the device 5D, 
or, more formally, not independent of the internal state of 5D; indeed, 5D has already observed x 
and y and it has itself produced a and b. We argue below, however, that we can use the fresh 
randomness to generate even more randomness from another device, as long as the devices are not 
entangled with each other nor with the adversary. 

Classical Side Information The case where the adversarial producer Eve of the devices holds 
classical side information about the device 2), can be reduced to the case without side information 
by conditioning on particular values of the side information. 

4 Composability 

Consider two (or more) untrusted devices 2) and 2)', prepared by the adversary Eve. We assume 
that 2) and 2)' cannot communicate and are not entangled with each other. The case when Eve 
holds classical side information about the devices can be treated as described in the previous section. 
We can then apply Theorem 3.3 to argue that the output AB produced by 2) has high min-entropy 
(except with small probability) given the internal state of 2)' (because 2)' is independent of 2)), 
assuming that a large enough average Bell value is observed. It thus follows that by applying an 
extractor (with suitable parameters and a freshly chosen seed) to AB, we obtain a bitstring K that 
is close to random and independent of the internal state of 2)'. This in particular implies that if we 
use the randomness K to sample the input X'Y' to 2)' (according to a prescribed distribution), 
then X'Y' is close to independent of the internal state of 2)'. As the dependency between the 
internal (quantum) state of 2) and the in-/outputs of 2)' is purely classical, we can condition on 
this classical information and apply Theorem 3.3 to argue that the output A'B' produced by 2)' 
has high min-entropy given the current internal state of 2). Therefore, we are in the same situation 
as above, and so can use the randomness extracted from A'B' to sample again inputs for 2), and 

^^This probability is on average over the execution; given a specific outcome for I{a,b,x,y), like 2.7 here, the 
probability may be different. 

^^We are ignoring here the randomness needed for the extractor. 
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we can keep on going like this as long as a large enough Bell value is observed. We stress that for 
the above line of reasoning only works because we assumed the devices to be unentangled 

to start with. In order to see quantitatively how this procedure can lead to a super polynomial 
randomness expansion, we refer to [FGSll, Section 5]. 

5 Conclusion and Open Problems 

An interesting extension to our result is to generalize Theorem 3.3 to the setting of quantum side 
information. This would allow a composition theorem for the more general case in which the devices 
can be entangled with each other and with Eve. Numerical calculations seem to suggest that the 
bound on the min-entropy does carry over to the quantum setting. Unfortunately, we are unable 
at the moment to give a rigorous proof of this claim and leave it as main open question. 
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